The official Google Android apps market is full of spam and malware.
I’ve seen it in action on a security analysts conference I attended almost a year ago. Ever since I’ve been trying to spread the word to anyone I care about.
Today, it’s you guys.
I know a CEO of a well known credit card company that got his Android phone tapped. The CEO!
Look, I’ve been telling my close friends for some time now. There is a serious problem with security on Android. People put everything on their amazingly clever phone, but take no precautions on what apps they download.
People, you’re giving access to your credit card, to tapping your calls, to your entire world. Why aren’t you nervous? Are you nuts??
I don’t care how amazingly good or clever these Android phones are. I don’t care for their specifications. I care for my privacy a darn lot more.
It took Microsoft years and years to realize that PC applications should be sandboxed. Apple got it right from day one on the iPhone. When will Google admit they got it wrong?
More malware found hosted in Google’s official Android market | Ars Technica
http://arstechnica.com/security/2012/07/more-malware-found-hosted-in-google-android-market/
Android.Dropdialer, a trojan that racks up costly charges from forced calls made to premium phone numbers, was found in two separate titles … according to a blog post published Tuesday by Irfan Asrar, a researcher with antivirus provider Symantec. “Super Mario Bros.” and “GTA 3 Moscow City,” as the malicious apps were packaged, generated as many as 100,000 downloads…
(via Instapaper)
So much fail in one article.
“It took Microsoft years and years to realize that PC applications should be sandboxed. Apple got it right from day one on the iPhone. When will Google admit they got it wrong? ”
Android application are running in a sandbox. They can NOT access to data belonging to other applications (hence, even 3rd party backup tools do not work on non-rooted devices). They also can not communicate with other applications except using low-coupled messages (“intents”).
And yeah, sure Apple got this right on the very first day of iPhone. Because you couldn’t install ANYTHING at all – the iTunes store was introduced later.
“I don’t care how amazingly good or clever these Android phones are. I don’t care for their specifications. I care for my privacy a darn lot more. ”
So do i, and Android helps me. Each application has its own permissions you have to accept when installing it. And if a game wants to call oder send SMS messages, i’ll not install it. Sure, Google could remove this, but dumb people will always find a way hurt themselves.
Hey Thomas,
Thanks for joining the debate, I’d love to get an Android user opinion on this.
First about Apple, I obviously meant “day one” as in the day that the AppStore was launched, not the day the first iPhone was shipped. And yes, they got it in terms what apps are allowed to do and not do.
To the subject of sandbox, which I thank you very much for emphasizing on. I’m not talking about sandbox only at the programmatic level, where I stand corrected by your comment.
I’m talking about what an app can do without your knowledge on an iPhone vs. an Android. Many of the stuff that malware and spammy apps do on Android, if not most, is not accessible via public APIs on iPhone. And in 99.99% percent of the cases, apps that use private API won’t get into the AppStore to begin with.
That is Apple’s biggest win, in my opinion. The ability to feel rather safe when downloading something from the AppStore.
And yeah, people might be doing what you call “dumb stuff”. But these people don’t know better. Many of smartphone owners know absolutely nothing about security, privacy, malware, spamware or anything. So how could they understand the permissions that they accept? They just want to install the app, next next next and done.
I get that power users don’t like Apple’s approach, although I never found myself limited in any way. But most Android users are not power users, and they won’t stop doing “dumb stuff”.
And so, I believe the platform should provide a solution and protect its true assets – the users, not the devices.
“So how could they understand the permissions that they accept?”
Well, the permission is called “Services that cost you money” (in bold letters). You don’t need to be a security expert to understand that. Of cource, children will still just accept these terms, hence children’s phones should not have access to any premium services (not even manually).
“Many of the stuff that malware and spammy apps do on Android, if not most, is not accessible via public APIs on iPhone.”
Sure, this way you reduce the risk, but even if you, for instance, forbid sending of SMS messages, someone will find a way to scam you. As an example, here in Germany it is enough to register for a “service” just by typing your number into a webpage form. If you’re lucky, maybe you’ll find the expenses on your next bill and fill in an objection. So, as long as Apple does not forbid any kind of internet connection used in applications, you may end up getting scammed anyway. The only difference is, that on Apple you may feel safe all the time, while on Android you have to learn to be more paranoid and take a look at given permissions.
“I’m talking about what an app can do without your knowledge on an iPhone vs. an Android.”
I’ve looked into the “iOS Developer Library” which APIs are provided on iOS. Correct me if i’m wrong, but does it mean that _every_ application installed on an iOS device can look into your addressbook and your calender, while having full access to the internet? Even if Apple looks at all applictions uploaded to the iTunes store (not on code level, i guess?), for me this implies a huge privacy problem.
At least i heard of a prompt in iOS6 when the address book is accessed by an application.